LeakyCreds
NewInstant webhook alerts now available ā€” notified within seconds of any credential detection.Learn more ā†’
Home / Vulnerability Intelligence / CVE-2026-4599

CVE-2026-4599 - Vulnerability Analysis

CriticalCVSS: 9.1

Last Updated: March 23, 2026

jsrsasign - Authentication Bypass

Published: March 23, 2026Updated: March 23, 2026Remote Exploitable

Overview

jsrsasign <= 11.1.1 contains an incomplete comparison vulnerability caused by incorrect compareTo checks in getRandomBigIntegerZeroToMax and getRandomBigIntegerMinToMax functions, letting attackers recover private keys by biasing DSA nonces during signature generation, exploit requires crafted signature requests.

Severity & Score

Severity: Critical
CVSS Score: 9.1
EPSS Score: 0.0%(Probability of exploitation in next 30 days)

Impact

Attackers can recover private keys by exploiting biased DSA nonces, compromising cryptographic security.

Mitigation

Update to a version later than 11.1.1 or the latest available version.

References

Social Media Activity(4 posts)

TheHackerWire
TheHackerWire
@thehackerwire
Mar 23, 2026

šŸ”“ CVE-2026-4599 - Critical (9.1) Versions of the package jsrsasign from 7.0.0 and before 11.1.1 are vulnerable to Incomplete Comparison with Missing Factors via the getRandomBigIntegerZeroToMax and getRandomBigIntegerMinToMax functions in src/crypto-1.1.js; an attacker can recove... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-4599/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Mar 23, 2026

šŸ”“ CVE-2026-4599 - Critical (9.1) Versions of the package jsrsasign from 7.0.0 and before 11.1.1 are vulnerable to Incomplete Comparison with Missing Factors via the getRandomBigIntegerZeroToMax and getRandomBigIntegerMinToMax functions in src/crypto-1.1.js; an attacker can recove... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-4599/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Mar 23, 2026

šŸ”“ CVE-2026-4599 - Critical (9.1) Versions of the package jsrsasign from 7.0.0 and before 11.1.1 are vulnerable to Incomplete Comparison with Missing Factors via the getRandomBigIntegerZeroToMax and getRandomBigIntegerMinToMax functions in src/crypto-1.1.js; an attacker can recove... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-4599/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Mar 23, 2026

šŸ”“ CVE-2026-4599 - Critical (9.1) Versions of the package jsrsasign from 7.0.0 and before 11.1.1 are vulnerable to Incomplete Comparison with Missing Factors via the getRandomBigIntegerZeroToMax and getRandomBigIntegerMinToMax functions in src/crypto-1.1.js; an attacker can recove... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-4599/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID
CVE-2026-4599
Severity
Critical
CVSS Score
9.1
Type
broken_authentication
Status
new
EPSS
0.0%
Social Posts
4

CWE

  • CWE-1023

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score

0.0%Probability of exploitation in the next 30 days